Merge pull request #1453 from RylandDeGregory/main

simonjj · web-flow · commit b4d676be9cc3 · 2025-08-20T10:36:36.000-05:00
Add modules to approve private endpoints, refactor existing template
diff --git a/templates/bicep/privateEndpointFrontDoor/README.md b/templates/bicep/privateEndpointFrontDoor/README.md
@@ -1,56 +1,30 @@
-# Bicep Deployment of ACA + Private Endpoint + Azure Front Door
-
-These Bicep files automate the process outlined in these two articles:
-
-* [Create a private link to an Azure Container App with Azure Front Door](https://learn.microsoft.com/en-us/azure/container-apps/how-to-integrate-with-azure-front-door)
-* [Use a private endpoint with an Azure Container Apps environment](https://learn.microsoft.com/en-us/azure/container-apps/how-to-use-private-endpoint?pivots=azure-cli)
-
-
-# Usage
-
-## Deployment
-
-1. Define some variables:
-
-```bash
-export RESOURCE_GROUP="my-resource-group"
-export LOCATION="centralus"
-```
-
-
-2. Create a resource group of your choosing:
-   
-```bash
-az group create --location $LOCATION --name $RESOURCE_GROUP
-```
-
-
-3. Deploy the Bicep
-If you want to change any of the names for any of the deployed resources please edit the top of `main-mgd-net.bicep`. After you're satisfied we start the deployment.
-
-```bash
-az deployment group create --resource-group $RESOURCE_GROUP --template-file main-mgd-net.bicep
-```
-
-
-## Approving the Connection
-
-As the last step you have to approve the private endpoint from AFD into ACA. This can be done by following first [listing your private endpoint](https://learn.microsoft.com/en-us/azure/container-apps/how-to-integrate-with-azure-front-door#list-private-endpoint-connections) connections, and then [approving them](https://learn.microsoft.com/en-us/azure/container-apps/how-to-integrate-with-azure-front-door#approve-the-private-endpoint-connection).
-
-```bash
-export ENVIRONMENT_NAME=mycontainerappenv # Assuming names are kept as they are in the Bicep file
-
-az network private-endpoint-connection list \
-    --name $ENVIRONMENT_NAME \
-    --resource-group $RESOURCE_GROUP \
-    --type Microsoft.App/managedEnvironments
-
-# Record the private endpoint connection resource ID from the response. Don't confuse this with the private endpoint ID. Replace the <PLACEHOLDER> with the private endpoint connection resource ID.
-az network private-endpoint-connection approve --id <PRIVATE_ENDPOINT_CONNECTION_RESOURCE_ID>
-```
-
-
-# NOTES
-
-* Not all warnings have been eliminated in this Bicep
-* The connection approval is still manual, PRs welcome
+# Bicep Deployment of ACA + Private Endpoint + Azure Front Door
+
+These Bicep files automate the process outlined in these two articles:
+
+* [Create a private link to an Azure Container App with Azure Front Door](https://learn.microsoft.com/en-us/azure/container-apps/how-to-integrate-with-azure-front-door)
+* [Use a private endpoint with an Azure Container Apps environment](https://learn.microsoft.com/en-us/azure/container-apps/how-to-use-private-endpoint?pivots=azure-cli)
+
+# Usage
+
+## Deployment
+
+1. Define some variables:
+
+```bash
+export RESOURCE_GROUP="my-resource-group"
+export LOCATION="centralus"
+```
+
+1. Create a Resource Group:
+
+```bash
+az group create --location $LOCATION --name $RESOURCE_GROUP
+```
+
+1. Deploy the Bicep Template
+If you want to change the name of any of the deployed resources, please edit the top of `main-mgd-net.bicep`. After you're satisfied, start the deployment.
+
+```bash
+az deployment group create --resource-group $RESOURCE_GROUP --template-file main-mgd-net.bicep
+```
diff --git a/templates/bicep/privateEndpointFrontDoor/containerappenv-pe-approve.bicep b/templates/bicep/privateEndpointFrontDoor/containerappenv-pe-approve.bicep
@@ -0,0 +1,19 @@
+@description('Name of the Azure Container Apps environment')
+param environmentName string
+
+@sys.description('Private Link resources that will be connected to the Azure Container Apps environment.')
+param containerAppsEnvironmentSharedPrivateLinks array
+
+resource containerAppEnv 'Microsoft.App/managedEnvironments@2024-10-02-preview' existing = {
+  name: environmentName
+}
+
+resource containerAppEnvPrivateEndpointAccept 'Microsoft.App/managedEnvironments/privateEndpointConnections@2024-10-02-preview' = [for privateLink in containerAppsEnvironmentSharedPrivateLinks: {
+  name: privateLink.name
+  parent: containerAppEnv
+  properties: {
+    privateLinkServiceConnectionState: {
+      status: 'Approved'
+    }
+  }
+}]
diff --git a/templates/bicep/privateEndpointFrontDoor/containerappenv-pe.bicep b/templates/bicep/privateEndpointFrontDoor/containerappenv-pe.bicep
@@ -0,0 +1,14 @@
+@description('Name of the Azure Container Apps environment')
+param environmentName string
+
+resource containerAppEnv 'Microsoft.App/managedEnvironments@2024-10-02-preview' existing = {
+  name: environmentName
+}
+
+module containerAppsEnvironmentPrivateAccess 'containerappenv-pe-approve.bicep' = {
+  name: 'ContainerAppsEnvironment-PrivateAccess'
+  params: {
+    environmentName: environmentName
+    containerAppsEnvironmentSharedPrivateLinks: filter(containerAppEnv.properties.privateEndpointConnections, connection => connection.properties.privateLinkServiceConnectionState.status == 'Pending')
+  }
+}
diff --git a/templates/bicep/privateEndpointFrontDoor/dns-a-record.bicep b/templates/bicep/privateEndpointFrontDoor/dns-a-record.bicep
@@ -1,32 +1,30 @@
-param privateDnsZoneName string 
-param privateEndpointName string
-param containerAppEnv object
-
-
-resource existingPrivateZone 'Microsoft.Network/privateDnsZones@2024-06-01' existing = {
-  name: privateDnsZoneName
-}
-
-resource existingPrivateEndpoint 'Microsoft.Network/privateEndpoints@2021-08-01' existing = {
-  name: privateEndpointName
-}
-
-
-// use privateEndpoint.customDnsConfigs[0].ipAddresses[0] to get the private IP address
-// aca envs default domain containerAppEnv.properties.defaultDomain
-resource dnsRecordSet 'Microsoft.Network/privateDnsZones/A@2024-06-01' = {
-  parent: existingPrivateZone
-  name: containerAppEnv.properties.defaultDomain
-  location: 'global'
-  properties: {
-    ttl: 3600
-    aRecords: [
-      {
-        // we use the private endpoint IP from the subnet for our private DNS A record below
-        ipv4Address: existingPrivateEndpoint.properties.customDnsConfigs[0].ipAddresses[0]
-      }
-    ]
-  }
-
-}
-
+param privateDnsZoneName string
+param privateEndpointName string
+param containerAppEnv object
+
+
+resource existingPrivateZone 'Microsoft.Network/privateDnsZones@2024-06-01' existing = {
+  name: privateDnsZoneName
+}
+
+resource existingPrivateEndpoint 'Microsoft.Network/privateEndpoints@2021-08-01' existing = {
+  name: privateEndpointName
+}
+
+
+// use privateEndpoint.customDnsConfigs[0].ipAddresses[0] to get the private IP address
+// aca envs default domain containerAppEnv.properties.defaultDomain
+resource dnsRecordSet 'Microsoft.Network/privateDnsZones/A@2024-06-01' = {
+  parent: existingPrivateZone
+  name: containerAppEnv.properties.defaultDomain
+  properties: {
+    ttl: 3600
+    aRecords: [
+      {
+        // we use the private endpoint IP from the subnet for our private DNS A record below
+        ipv4Address: existingPrivateEndpoint.properties.customDnsConfigs[0].ipAddresses[0]
+      }
+    ]
+  }
+
+}
diff --git a/templates/bicep/privateEndpointFrontDoor/main-mgd-net.bicep b/templates/bicep/privateEndpointFrontDoor/main-mgd-net.bicep
